As long as it is possible for "anyone on the planet" to reach a
login: prompt on your box, you will have no end of misery, and "no dictionary will ever protect you." But you
do have an alternative: an easy-to-implement alternative will shut all of this completely down,
cold, and keep it that way forever after.
Have a look at my LQ blog where I discuss
How To Build a 'Dwarvish Door' With OpenVPN.
The strategy which I describe there will bring an immediate end to
all such access attempts. To the outside world, your system has
no "open ports," and, so far as they can detect, it's not running OpenVPN, either! (Unless they demonstrate in the initial handshake that they probably possess the proper
tls-auth certificate, the OpenVPN sever won't even answer the phone.)
The only way to enter is to possess
two one-of-a-kind digital certificates, the second one of which also has not been "revoked" by you.
Only then can one reach
ssh or anything else. (
ssh, which
of course you have set up to require a
third digital certificate and not to ever prompt for a password, becomes the second also-impenetrable layer in your outer defenses, guarding all access to a shell prompt ... a layer which will never be assaulted because it will never be found.)
Authorized users can clear these obstacles in seconds, and can carry on their communication with your system,
securely, as though it were simply attached (through a (software) router) to their local network. They don't have to think further about security: it
is secure, and they are certain that they
are talking to the intended machine. (In like manner, your machine knows that it is communicating specifically with
them. It knows them by name.)
(Digital certificates can be encrypted with a password, e.g. for use with "road warrior" machines that might get stolen in an airport bathroom, so that they can't be used until you get a chance to revoke them, which act instantly and selectively(!) renders them useless – encrypted or not.)
The number of unauthorized access attempts will immediately drop to
zero and stay there ...
forever.
I've deployed many public servers – I won't tell you the IP-addresses and you can't find them – that have
never had an unauthorized access attempt. Ever. Nor will they.
Ever.